
Research
Security News
Lazarus Strikes npm Again with New Wave of Malicious Packages
The Socket Research Team has discovered six new malicious npm packages linked to North Korea’s Lazarus Group, designed to steal credentials and deploy backdoors.
This is a client for the Config Server project. It allows you to retrieve configuration for your Ruby project.
The first time get_config
is called, ConfigServerAgent
will request your config pack from the configured Config Server. This will be cached and returned on subsequent calls to get_config
, without further requests being made to the Config Server.
Call clear
to clear the cache. The next call to get_config
will cause the Config Server to be contacted again.
It is thread safe.
Add this line to your application's Gemfile:
gem 'config_server_agent'
And then execute:
$ bundle
Or install it yourself as:
$ gem install config_server_agent
ConfigServerAgent
requires six parameters to operate correctly. These parameters can either be explicitly provided to the constructor, or they will be pulled from environment variables. An ArgumentError
will be raised if the parameters are not available from either source. Parameters supplied to the constructor will take precedence over environment variables.
# Providing explicitly:
client = ConfigServerAgent.new(
auth0_client_id: '4F4l7leKKigMN8CziKpgjvXGKrihih1F',
auth0_client_secret: '3SrKmNAdKNzFBA3Lb6fgnTDyyFOQLt7hREWSlcU9QGc1SMKNKRL9DqmxyXQerS0E',
auth0_host: 'yourdomain.au.auth0.com',
config_server_audience: 'https://yourdomain.com',
config_server_api_key: 'Rd5N9hQlbkK7pYxMZGGsQAv...snip...C2OpRq9hEIGtp4Aw6OpEOsec5==',
config_server_host: 'https://your.config.server.com'
)
# Using environment variables:
client = ConfigServerAgent.new
# ConfigServerAgent will raise an exception if any of the following environment variables are not set:
# AUTH0_CLIENT_ID
# AUTH0_CLIENT_SECRET
# AUTH0_HOST
# CONFIG_SERVER_AUDIENCE
# CONFIG_SERVER_API_KEY
# CONFIG_SERVER_HOST
client.get_config
# => [{"id"=>"2481ea78-7699-4f59-8639-7992a6440c0f",
# "value"=>"Braintree",
# "name"=>"default_gateway",
# "area"=>"Payments",
# "created_at"=>"2018-12-06T00:39:12.236Z",
# "updated_at"=>"2018-12-06T00:39:12.236Z"},
# {"id"=>"02c74435-5309-4b7f-9a83-353cbf43e8cf",
# "value"=>false,
# "name"=>"payments_enabled",
# "area"=>"Payments",
# "created_at"=>"2018-12-06T00:39:12.240Z",
# "updated_at"=>"2018-12-06T00:39:12.240Z"},
# {"id"=>"17a0abc2-a0ac-4a2a-bfad-45a4e2afc00f",
# "value"=>"L68Wh+[foZCVW/y3h",
# "name"=>"account_password",
# "area"=>"Payments",
# "created_at"=>"2018-11-27T06:49:37.841Z",
# "updated_at"=>"2018-11-27T06:49:37.841Z"}]
After checking out the repo, run bundle install
to install dependencies. Then, run rake test
to run the tests. You can also run rake console
for an interactive prompt that will allow you to experiment.
To experiment with the code, run rake console
for an interactive prompt.
The gem is available as open source under the terms of the MIT License.
FAQs
Unknown package
We found that config_server_agent demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
The Socket Research Team has discovered six new malicious npm packages linked to North Korea’s Lazarus Group, designed to steal credentials and deploy backdoors.
Security News
Socket CEO Feross Aboukhadijeh discusses the open web, open source security, and how Socket tackles software supply chain attacks on The Pair Program podcast.
Security News
Opengrep continues building momentum with the alpha release of its Playground tool, demonstrating the project's rapid evolution just two months after its initial launch.